title: Conversion of Generic Rules into Powershell Specific EventID Rules
order: 10
logsources:
    ps_module:
        category: ps_module
        product: windows
        conditions:
            EventID: 4103
        rewrite:
            product: windows
            service: powershell
    ps_script:
        category: ps_script
        product: windows
        conditions:
            EventID: 4104
        rewrite:
            product: windows
            service: powershell
    # for the "classic" channel   
    ps_classic_start:
        category: ps_classic_start
        product: windows
        conditions:
            EventID: 400
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_provider_start:
        category: ps_classic_provider_start
        product: windows
        conditions:
            EventID: 600
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_script:
        category: ps_classic_script
        product: windows
        conditions:
            EventID: 800
        rewrite:
            product: windows
            service: powershell-classic